Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-09-05) Querying An Event Log Of One Or Multiple Computers For A String

Posted by Jorge on 2013-09-05


Have you ever had the need to query multiple computers for a specific string in some Event Log? Well, look no further! Here is a PowerShell script that does it for you!

-

# SCRIPT NAME: Search-EventLog-For-String.ps1 Param ( [string[]]$listOfServers, [string]$discoverDC, [string]$eventLogName, [string]$stringToSearchFor, [bool]$table, [bool]$list ) If ($discoverDC.ToUpper() -eq "LOCALDOMAIN") { $listOfServers = ([system.directoryservices.activedirectory.Domain]::GetCurrentDomain()).DomainControllers | ?{$_.IPAddress –ne $null} | %{$_.Name} } If ($discoverDC.ToUpper() -eq "LOCALSITE") { $adSiteLocalComputer = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name $listOfServers = ([system.directoryservices.activedirectory.Domain]::GetCurrentDomain()).DomainControllers | ?{$_.IPAddress –ne $null -And $_.SiteName -eq $adSiteLocalComputer} | %{$_.Name} } $relatedEvents = @() $listOfServers | %{ $relatedEventsOnServer = Get-WinEvent -ComputerName $($_) -LogName $eventLogName | ?{ $_.Message -match $stringToSearchFor} $relatedEvents += $relatedEventsOnServer } If ($table) { $relatedEvents | FT Id, MachineName, LogName, TimeCreated, Message -AutoSize } Else { $relatedEvents | FL Id, MachineName, LogName, TimeCreated, Message }

-

Some examples….

-

Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon" -table $true

image

Figure 1: Specifying A Single Server And Displaying In Table Format

-

Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon"

image

Figure 2: Specifying A Single Server And Displaying In List Format

-

Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN,R2FSRODC5.ADDMZ.LAN,R2FSRODC6.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon" -table $true

image

Figure 3: Specifying A List Of Servers And Displaying In Table Format

-

Search-EventLog-For-String.ps1 -listOfServers R2FSMBSVA.ADDMZ.LAN,R2FSRODC5.ADDMZ.LAN,R2FSRODC6.ADDMZ.LAN -eventLogName Security -stringToSearchFor "An Error occured during Logon"

image

Figure 4: Specifying A List Of Servers And Displaying In List Format

-

Search-EventLog-For-String.ps1 -discoverDC LOCALDOMAIN -eventLogName System -stringToSearchFor "This computer was not able to set up a secure session with a domain controller in domain" -table $true

image

Figure 5: Discovering All DCs (RWDCs And RODCs) In The Same AD Domain As The Server The Script Is Executed On And Displaying In Table Format

-

Search-EventLog-For-String.ps1 -discoverDC LOCALDOMAIN -eventLogName System -stringToSearchFor "This computer was not able to set up a secure session with a domain controller in domain"

image

Figure 6: Discovering All DCs (RWDCs And RODCs) In The Same AD Domain As The Server The Script Is Executed On And Displaying In List Format

-

Search-EventLog-For-String.ps1 -discoverDC LOCALSITE -eventLogName "Directory Service" -stringToSearchFor "KCC" -table $true

image

Figure 7: Discovering All DCs (RWDCs And RODCs) In The Same AD Site As The Server The Script Is Executed On And Displaying In Table Format

-

Search-EventLog-For-String.ps1 -discoverDC LOCALSITE -eventLogName "Directory Service" -stringToSearchFor "KCC"

image

Figure 8: Discovering All DCs (RWDCs And RODCs) In The Same AD Site As The Server The Script Is Executed On And Displaying In List Format

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

One Response to “(2013-09-05) Querying An Event Log Of One Or Multiple Computers For A String”

  1. […] « (2013-09-05) Querying An Event Log Of One Or Multiple Computers For A String […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: